Overview
CVE-2025-62724 identifies a “Time of Check to Time of Use” (TOCTOU) vulnerability affecting Open OnDemand, an open-source HPC portal. This flaw allows malicious users to potentially bypass file access restrictions defined by the OOD_ALLOWLIST when downloading zip files, potentially gaining unauthorized access to files. Specifically, versions prior to 4.0.8 and 3.1.16 are affected. This vulnerability impacts sites that utilize the file browser allowlists in all current versions of OOD. While UNIX permissions still provide a layer of protection, immediate patching is highly recommended.
Technical Details
The TOCTOU vulnerability arises during the process of creating and downloading zip files through the Open OnDemand file browser. An attacker can manipulate the file system between the time Open OnDemand checks if a file is within the allowed list (the “time of check”) and the time the file is actually accessed and included in the zip archive (the “time of use”). This manipulation could involve renaming or creating symbolic links to files outside the intended allowlist after the initial check but before the zip file is created. This allows a carefully crafted request to include files the user should not have access to into the downloadable archive.
It’s crucial to note that standard UNIX permissions remain in effect. This means the attacker still needs to possess the underlying UNIX permissions to access the files, mitigating the impact to some extent. However, in environments with misconfigured permissions or where users share common groups, the risk can be significantly higher.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-62724 a score of 4.3, classifying it as a MEDIUM severity vulnerability. The CVSS vector is likely AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (This vector is an educated guess based on the description, the actual vector may differ slightly depending on the full details of the vulnerability). This indicates the vulnerability is network accessible, requires low attack complexity, requires low privileges, and user interaction is not required. The impact is limited to partial confidentiality.
Possible Impact
Exploitation of CVE-2025-62724 could lead to:
- Unauthorized Information Disclosure: Attackers could potentially gain access to sensitive data residing outside the intended file browser scope.
- Privilege Escalation (Limited): While not a direct privilege escalation, successful exploitation could allow users to access files they would normally not be able to, effectively granting them elevated access to specific information.
- Compromised Data Integrity (Potentially): If the attacker can modify the targeted files, the system’s data integrity could be compromised, though this scenario relies heavily on UNIX permissions and the specific configuration.
Mitigation or Patch Steps
The primary mitigation strategy is to immediately upgrade your Open OnDemand installation to one of the following versions:
- Version 4.0.8 or later
- Version 3.1.16 or later
These versions contain the necessary patches to address the TOCTOU vulnerability. If immediate patching is not feasible, consider implementing the following temporary mitigations:
- Review and Harden UNIX Permissions: Ensure that file permissions are correctly configured to minimize the risk of unauthorized access, even if the allowlist is bypassed. Pay special attention to shared directories and group permissions.
- Monitor File Access Logs: Implement monitoring of file access logs to detect any suspicious activity that might indicate exploitation attempts.
- Restrict File Browser Access: Limit the number of users who have access to the Open OnDemand file browser to reduce the attack surface.
